b'DEPARTMENT OF HOMELAND SECURITY\n\n   Office of Inspector General\n\n\n    Independent Auditor\'s Report on\n\n   U.S. Coast Guard\'s FY 2008 Mission\n\n              Action Plans\n\n\x0c                                                                        Office of Inspector General\n\n                                                                        U.S. Department of Homeland Security\n                                                                        Washington, DC 20528\n\n\n\n                                                                       Homeland\n                                                                       Security\n\n                                      July 9,2008\n\n                                      Preface\n\nThe Department of Homeland Security (DHS) Office ofInspector General (OIG) was established by\nthe Homeland Security Act of2002 (Public Law 107-296) by amendment to the Inspector General\nAct of 1978. This is one of a series of audit, inspection, and special reports prepared as part of our\noversight responsibilities to promote economy, efficiency, and effectiveness within the department.\n\nThe attached report presents the results of the U.S. Coast Guard\'s fiscal year 2008 Mission Action\nPlans audit. We contracted with the independent public accounting firm KPMG LLP (KPMG) to\nperform the audit. The contract required that KPMG perform its audit according to generally\naccepted government auditing standards. KPMG is responsible for the attached independent\nauditor\'s report and the conclusions expressed in it.\n\nThe recommendations herein have been discussed in draft with those responsible for implementation.\nIt is our hope that this report will result in more effective, efficient, and economical operations. We\nexpress our appreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                      Richard L. Skinner\n                                      Inspector General\n\x0c                               KPMG LLP                                   Telephone 2025333000\n                               2001 M Street, NW                          Fax       202 533 8500\n                               Washington, DC 20036                       Internet  www.us.kpmg.com\n\n\n\n\nFebruary 22, 2008\n\n\nMs. Anne Richards\nAssistant Inspector General for Audit\nDepartment of Homeland Security, Office of the Inspector General\nMr. David Norquist\nChief Financial Officer\nDepartment of Homeland Security:\n\n\nThis report presents the results of our work conducted to address the performance audit objectives relative\nto the Department of Homeland Security\'s (DHS or the Department) Mission Action Plans (MAPs)\ndeveloped to address the internal control deficiencies at the U.S. Coast Guard (USCG). These\ndeficiencies were identified by management and/or reported in the KPMG LLP (KPMG) Independent\nAuditors\' Report included in the Department\'s fiscal year 2007 Annual Financial Report (FY 2007\nIndependent Auditors\' Report).\n\nThis performance audit is the second in a series of four performance audits that the Department\'s Office\nofInspector General (OIG) has engaged us to perform related to the Department\'s fiscal year 2008 MAPs\nfor use in developing the Department\'s Internal Controls Over Financial Reporting Playbook (ICOFR\nPlaybook). This performance audit was designed to meet the objectives identified in the Objectives,\nScope, and Methodology section of this report. Our audit procedures were performed using draft MAPs\nprovided to us between November 30,2007 (FBwT and Entity Level Controls); and December 31,2007\n(IT integration). Interviews with DHS and USCG management and other testwork, was performed at\nvarious times through February 11, 2008, and our results reported herein are as of February 22, 2008.\n\nWe conducted this performance audit in accordance with generally accepted government auditing\nstandards (GAS). Those standards require that we plan and perform the audit to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit\nobjectives. We believe that the evidence obtained provides a reasonable basis for our findings based on\nour audit objectives.\n\nThe performance audit did not constitute an audit of financial statements in accordance with GAS.\nKPMG was not engaged to, and did not, render an opinion on the Department\'s or USCG\'s internal\ncontrols over financial reporting or over financial management systems (for purposes of Office of\nManagement and Budget Circular No. A-I27, Financial Management Systems, July 23,1993, as revised).\nKPMG cautions that projecting the results of our evaluation to future periods is subject to the risks that\ncontrols may become inadequate because of changes in conditions or because compliance with controls\nmay deteriorate.\n\x0cTABLE OF CONTENTS\n\nEXECUTIVE SUMMARY                       ~        2\nBACKGROUND                                       4\nOBJECTIVE, SCOPE, AND METHODOLOGy                5\nFINDINGS AND RECOMMENDATIONS                ,    7\nMANAGEMENT RESPONSE TO OUR REPORT               10\nKEY DOCUMENTS AND DEFINITIONS                   11\n\n\n\n\n                                    1\n\x0cEXECUTIVE\xc2\xb7 SUMMARY\n\nThe Department of Homeland Security (DHS or the Department) has identified weaknesses inintemal\ncontrol over financial reporting through its annual assessment conducted pursuant to Office of\nManagement and Budget (OMB) Circular No. A~123, Management\'s Responsibility for InternalControl,\nand compliance with the Federal Managers\' Financiallntegrity Act (FMFIA). Some deficiencies are\nmaterial weaknesses identified by DHS\' external financial statement auditor. Beginning in 2006,the\nDepartment launched a comprehensive corrective action plan to remediate known internal control\ndeficiencies... The plan is documented in the Internal Controls Over Financial Reporting. Playbook\n(ICOFR Playbook). The Mission Action Plan (MAP) isa key input to the ICOFR Playbook that\ndocuments the remediation actions planned for each control deficiency at theDHS component level. The\nMAP provides specific actions, timeframes, key milestones, assignment of responsibility,. and the timing\nof corrective action validation.\n\nThe objective of this performance audit was to evaluate and. report on the status of the detailed MAPs\nprepared by the United States Coast Guard (USCG) to correct internal control deficiencies over financial\nreporting. We conducted our audit in accordance with the standards applicable to such audits contained\nin the GovermnentAitditing Standards, issued by the Comptroller Generalofthe United States. Our audit\nwas performed using specific criteria, to assess the process used by the USCG, and to evaluate the MAPs\nsubmitted by USCG to the DHS Chief Financial Officer to be included in the 2008 ICOFR Playbook.\n\nThe evaluation criteria were developed from a variety of sources-including technical guidance published\nbyOMB,the Government Accountability Office, and applicable laws and regulations. We also\nconsidered DlIS\' policies and guidance, and input from the Office ofInspector General when designing\nevaluation criteria. Our evaluation criteria are:\n    L\t Identification (of the root cause) - Identification of the appropriate underlying problem or root\n        cause of the internal control deficiency condition(s).\n    2.\t Development (of the MAP)- Clear action steps that address the root cause, with attainable and\n        measurable milestones at an appropriate level of detail.\n    3.\t Accountability (for execution of the MAP) - The individual MAP owner is held responsible for\n        its successful implementation, ensuring that milestones are effectively and efficiently achieved\n        andthat the validation phase is completed.\n    4.\t Verificatiqnand validation--\' The MAP; includes written procedures to verify successful\n        implementation of the MAP, a means to track progress throughout the MAP lifecycle, and\n        reporting results when complete.\n\nWe noted that the USCG has prepared MAPs that address the control deficiencies over Fund Balance with\nTreasury (FBwT); Entity-Level Controls; and Information Technology (IT) Integration. However, we also\nnotedare~swhere the MAPs could be improved. Specifically, we ttotedthat arnore thorough analysis\nshould be performed to identify the underlying problem that created the control deficiencies. Theroot\ncause analysis should .include consideration .of the relevant detailedpr()cesses, humanresources,andlT\nsystems. The analysis should be expanded. to consider interdependencies with other processes, and\ncontrol deficiencies, and corrective actions should be cross-referenced with management assertions at the\nfinancial statement level to ensure thatremediation is most effective.\n\nInsome cases, the MAPs. did notincJude specific corrective.actions, with incremental milestones that are\nattainable, measurable, and verifiable, over a realistictimeframe. The MAPs lacked an appropriate level\nofdetail to enable independent analysis ofthe effectiveness of the MAPs in remediatingrootcauses and\nproviding users with insight on the period status of the MAP implementation.                          .\n\n\n\n\n                                                   2\n\x0cThe USCG lacks a comprehensive plan for verification and validation of MAP results that can be used to\nmonitor and report results. Further, the verification and validation procedures that are included in the\nMAPs are not clearly linked to the Department\'s OMB CircularA-123 initiatives currently underway.\nWe recommended thatthe USCG revise its MAPs to address theseconcems. We are also recommending\nthatthe USCG develop an "end state" model for each defined process, including taking any future\nDepartment system baseline and support for financial reporting assertions, laws & regulations, and\naccounting standards into consideration. They should then compare the current processes with the\nidentified control and process deficiencies and root Causes to the "end state" model to develop specific,\nactionable, and measurable project plan steps linked to supporting the financial reporting. assertions and\ncomplying with laws and regulations and accounting stcmdards.\n\n\n\n\n                                                    3\n\n\x0cBACKGROUND\n\nThe Department of Homeland Security (DRS or the Department) and the United States Coast Guard\n(USCG) recognize that deficiencies in internal control over financial reporting exist The internal control\ndeficiencies are reported by DRS management in its annual Secretary\'s Assurance Statements, issued\npursuant to Office ofManagement and Budget (OMB) Circular No. A-123, Management\'sResponsibility\nfor Internal Control. The Secretary\'s Assurance Statement and the findings of the external auditor are\nreported in Department\'s fiscal year 2007 Annual Financial Report (AFR). The conditions causing the\ncontrol weaknesses are diverse and complex. Many conditions are systemic, inherited with legacy\nfinancial processes and IT systems at the time oftheDepartment\'s formation in 2003; The evolution of\nthe Department\'s mission, programs,component restructuring, and other infrastructure changes has made\nremediation of these control weaknesses very challenging. To meet this .challenge, the Department\'s\nSecretary, Chief Financial Officer and financial management in the DRS components have adopted a\ncomprehensive strategy to implement corrective actions beginning in fiscal year (FY) 2007 and\ncontinuing inFY 2008.\n\nThe DRS Office ofthe Chief Financial Officer (OCFO),Internal Control Program Management Office\n(ICPMO) is primarily responsible for the development and implementation of the Department\'s strategy\nto implement corrective action plans. The ICPMO has documented its strategy and other related plans to\nremediateidentified internal control deficiencies in the Internal Controls Over Financial Reporting\nPlaybook (ICOFRPlaybook).\n\nIn 2006, the Department issued Management Directive 1030, Corrective Action Plans, and the\nDepartment enhanced its existing guidance by issuing the Mission Action Plan Guide, Financial\nManagement Focus Areas Fiscal. Year 2008 (MAP Guide). In accordance with the MAP Guide, the\nDepar~mentand thecomponentscieyeloped Mission Action Plans (MAP)Jhatdescribes the corrective\nactions to be implemented. The Deparlment continued to utilize Electronic Program Management Office\n(ePMO), a Web-basedsoftware applicalion, to manage the collection and reporting of MAP information.\n\nThe MAP Guide is applicable to all Department components, including USCG, .and outlines the policies\nand procedures necessary to develop fiscal year 2008 Department MAPs. All components were required\nto submit MAilS, or MAP updates, for any new or existing internal control deficiencies over financial\nreporting, identified by management or the external auditors, for inputinto to the fisc.al year 2008 ICOFR\nPlaybook.\n\nTo comply with Management Directive 1030, and the MAP Guide,\xc2\xb7 the USCG adopted the Financial\nStrategy for Transformation and Audit Readiness (FSTAR)\xc2\xb7 initiative. . With the support of the\nDepartment, the USCG I FSTAR prepared tmeedetailed MAPs for fiscal year 2008, related to the internal\ncontrol deficiencies over FBwT; Entity-Level Controls; and IT Integration reported as or contributing to\nmaterial weaknesses in the 2007 IndependentAuditors\' Report, which are summarized below:\n    \xe2\x80\xa2\t Financial Management and EntityLevel Controls- USCG has not fully implemented an effective\n       financialmanagementorgadizationa,l\xc2\xb7\xc2\xb7structure. It has .significant weaknesses .in financial\n       management oversight that hindered its ability to prepare accurate, complete, and timely financial\n       information.               .\n    \xe2\x80\xa2\t Fund BalancewithTreasury -. USCG did nothave effective.controls or supporting documentation\n       thatvalidated .the accuracy of all of its FBwT. balances, reconciliations, and clearing of suspense\n       items. Ifdidnot have an\xc2\xb7 effective . process for accounting for. suspense account transactions\n       relatedto FBwT. The USCG was unableJo provide validated military and civilian payroll data to\n       support payroll transactions processed through the USCG\'s FBwT.\n\n\n\n                                                    4\n\x0c    \xe2\x80\xa2\t FinanciaL Reporting: IT Integration - USCG\'s financial reporting material weaknesses include\n       control deficiencies related to IT Integration. The USCG has not developed and\xc2\xb7 implemented an\n       eftectivegeneralledger system. Its financial and mixed IT systems are not sufficiently integrated\n       and are significantly noncompliant. with the requirements ofthe Federal Financial Management\n       Improvement Act.\n\nConditions existing at the USCG contributedto all Department material weaknesses in internal control\nover financial reporting, reported in FY2007 (seyen in total). However, to focus its attention and\nresources, the USCG has limited its MAPs to the three weaknesses described above. MAPs to correct .the\nremaining four material weaknesses,e.g., IT systems security, capital assets, liabilities, budgetary\naccounting, and other conditions affecting financial reporting, will be developed by USCG\'s Financial\nStrategy for Transformation and Audit Readiness (FSTAR) later in FY2008 or beyond.\n\nOBJECTIVE, SCOPE,AN"D METHODOLOGY\n\nObjectives\nThe objective ofthis performance audit was to evaluate and report on the status of detailed MAPs\nprepared by USCG to correct internal control deficiencies over financial reporting. Our evaluation was\nperformed using specific criteria,described in the Methodology section below, to assess the process used\nto .develop and document USCG\'s FY 2008 MAPs.. We did not evaluate the outcome of the MAP\nprocess, or any corrective actions taken by management during our audit,and our findings should not be\nused to project ultimate results from the MAP implementation. Recommendations are provided to help\naddress findings identified during our performance audit.\n\nScope\nThe scope of this performance audit includes USCG\'s FY2008 MAPs developed to address the FBwT;\nEntity-Level Control; and IT Integration control weaknesses at the USCG as reported in the Secretary\'s\nFY 2007 Assurance Statement, and in the FY 2007 DHS Independent Auditors\' Report. TheMAPs\nsubjected to our evaluationwere provided by the OCFO, on behalf of the USCG, between November 30,\n2007 {FBwT and Entity Level Controls);.\xc2\xb7 and December 31, 2007 (IT integration). The scope of this\nperformance audit did not include procedures on any of the MAPs associated with other control\ndeficiencies existing at USCG as reported in the FY 2007 Independent Auditors\' Report. Our audit was\nperformed between January 4,2008 and February 11, 2008, and our results reported herein are as of\nFebruary 22,2008.\n\nMetbodology\nWe conducted this performance audit in accordance with the standards applicable to such audits contained\nin. the Government Auditing Standards, issued by the\xc2\xb7 ComptroUerGeneral of the United States. Our\nmethodology consisted ofthe following four-phased approach:\nPhaseI- Project Initiation and Planning - We attended meetings with the Department\'s Office of\nInspector General (OIG), OCFO,and USCG to review the, performance auditobjectiyesand scope,\ndescribe our audit approach,communicate data requests,. and gain an understanding of the statuso[ USCG\n2008 MAPs.\nPhase II - Data Gathering- We performed interviews with accounting and finance management and\nstaffat USCG andOCFO. Through these interviews,we gained an understanding of the process used to\ndevelop the MAPs" including key inputs and data used, assumptions made, and reasons for conclusions\nreached. The interviews focused on theanalysispertormed byUSCG to identify the underlying problems\ncreating the internalcontrol weakness (root cause), the planned corrective actions, the critical milestones\nchosen for measurement, and the methods used to monitor and validate progress in meeting the\nmilestones. We discussed USCG\'s resourceaUocationstrategyemployed in the development and\n\n\n\n                                                    5\n\x0ceventual implementation of the MAPs, including ,the utilization of contractors to supplement staff as\nneeded and the use of specialists, if necessary. We conducted meetings with the Department\'s OIGto\nidentify and agree to the criteria used to evaluate the status of the MAPs (as defined below).\nWe performed reviews of key documents and supporting information provided to us. Our documentation\nreviews included:\n    \xe2\x80\xa2\t The three USCG MAPs (i.e., the MAP Detail and Summary Reports) that were included within\n        our scope,and\'any underlying supporting documentation provided by USCG.\n    \xe2\x80\xa2\t The Notice of Findings and Recommendations (NFRs) issued during. the FY 2007 financial\n        statement audit by the external auditors that supported the internal control findings reported in the\n        FY 2007 Independent Auditors\' Report.\n    \xe2\x80\xa2\t Information provided by USCG management regarding the allocation of resources related to all\n        MAPs, including the utilization of contractors.\n    \xe2\x80\xa2\t The Annual Component Assurance statements provided pursuant to the requirements of OMB\n        Circular No. A-123.\n    \xe2\x80\xa2\t The ICOFR Playbook, MD 1030, the MAP Guide, draft USCG FSTAR Standard Operating\n        Procedures (SOPs), and existing internal control monitoring guidance {e.g., OMB Circular\n        No. A-123).\nPhase III \'- Analysis Using Established Criteria ~ Our evaluation criteria were developed from a variety .\nof sources including technical guidance published by. OMB(e.g., Circular No. A\xc2\xb7123) and the\nGovernment Accountability Office (e.g., Standards for Internal. Control in the Federal Government), and\napplicableFed~rallaws and regulations (e.g., Federal Managers\' Financial Integrity Act of 1982). We\nalso considered DRS\' policies and guidance, such as the MAP Guide and the ICOFRPlaybook, and input\nfrom the OIG. Our evaluation criteria were:\n    1.\t Identification (oftheroot cause)-Identification of theappropriate underlying root cause that is\n        causing the internal control deficiency. Acomprehensiveallalysis typically includes a full\n        assessment of the business processes, data flows, and information systems that drive the\n        transactions/activities associated with the accounting process where the internal control\n        deficienCies are believed to exist. A thorough root cause analysis should include:\n        a) Research to discover why, when, and ):low the condition occurred - what went wrong and\n            why?\n        b) Investigation to determine if the problem is procedural or human resources or both\n            (processes,and lor people).\n        c) An evaluation to determine iflT system functionality is contributing totheproblem,and iflT\n            system modifications could be part of the remediation;\n        d) An evaluation of internal controls, including the existence of compensating controls that may\n            mitigate the deficiencies.\n    2.\t Development (oftheMAP) --\'- The MAP includes action steps that addressthe root cause, and\n        attainable and measurable milestones at an appropriate level ofcietaiL Milestones should enable\n        independent analysis of a MAP\'s effectiveness\xc2\xb7. in remediatingroot causes, and provide MAP\n        users withillsighton thestatusofthe MAP\'s implementation. For example, they enable a userto\n        determine if the appropriate level of resources to execute a milestone is available and identify\n        potential gaps in milestones (e.g. a contractor may need to be hired before a specific milestone\n        can be achieved);\n    3.\t Accountability{for executionofthe MAp)- Accountability for the MAP is clearly identified and\n        assigmJd. The individual\xc2\xb7 MAP owner is responsible for its successful\xc2\xb7 implementation, ensuring\n        that milestones are achieved, and validation of results.\n    4.\t Verification and Validation -The MAP includes writtenprocedtires"that verify successful\n        implementation of the MAP, provide a means to track progress\xc2\xb7 throughout the MAP Jifecycle,\n\n\n\n                                                     6\n\x0c         and require reporting results when complete. These activities should include documentation\n         reviews, work observations,andperformancetestingthatis maintained for internal OMB Circular\n         No. A-123 review and external audit.\nPhase IV ~ Findings and Recommendations - After conducting our Phase III procedures and applying the\nevaluation criteria to the MAPs, we" formulated our findings and recommendations. The findings\nrepresent areas for potential improvement that could negatively affectUSCG,s remediation of the control\ndeficiencies if the MAP isperformedas designed.\n\nFINDINGS AND RECOMMENDATIONS\n\nThe findings and recommendations described below resulted from procedure; we peiformed on the MAP\ndocumentation provided on January 4, 2008 and do not reflect any subsequent enhancements and\nchanges made to the documentation. We have not performed testwork over the nature and extent of any\nmodifications madesubsequentto our review and the findings and recommendations detailed below are\nnot reflective ofany changes.\n\nFindings\nWe categorized our findings by evaluation criteria.\n\nIdentification                       .     .                      .                        .\n\nOur observations and comments related to the identification criteria of the USCG MAps are consistent\n\nacross each ofthree MAPs -FBwT, Entity,level controls, and IT Integration. We noted that:\n\n    \xe2\x80\xa2\t   The root causes identified were often generally defined, e.g., "Coast Guard has not designed a\n         comprehensive, integrated accounting IT system to comply with the FFMIA system requirements\n         andthe USSGL atthe transaction level." We also noted that the root cause was often listed as a\n         condition or symptom of the problem, e.g" "Personnel Service Center (PSC) was not informed of\n         the recurring reclassification entries that the finance center (FINCEN) manually processes due to\n         errors in the interface file."\n\n    \xe2\x80\xa2\t   Evidence of an in-depth root caUSe analysis, including supporting information, and personnel\n         consulted, was not created or maintained, preventing supervisory review, and independent\n         corroboration of conclusions. USCG personnel indicated that root causes were determined by\n         review of the Notice . of Findings and Recommendations issued during the DRS financial\n         stalementaudits, the. documentation developed and control.\xc2\xb7 gaps identified during theA-123\n         assessmentproject,llnd . conSensus reached through discussions between key USCG process\n         owners.      Consequently, we were unable to substantiate that the USCG performed an\n         investigation to identify.the .underlying. problem, and conducted their assessment of the. business\n         processes,data flows,and information systems that drive the transactions/activities associated\n         withthe control deficiencies and material weakllesses.\n\n    \xe2\x80\xa2\t   Critical interdependencies are not identified.. Forexample, to successfully implementtheFBwT\n         MAP, and remediate the FBwT material weaklless, .it may benecessaryJorUSCG to meet\n         milestones and correctunderly~ng conditions identified hi other MAPs related to human resources\n         and payroll, payment management, budgetary resource management,entity~level controls and/or\n         the IT prOcesses. However, the FBwT MAP does. not illustrate these potential interdependent\n         milestones or indicate how they may affectthe successful implementationoftheFBwT MAP.\n\n    \xe2\x80\xa2\t   The conditions identified in the issue description sections onhe MAps do not clearly link or\n         crosHeference to audit findings and the material weakllessconditions identified in the\n         Independent Auditors\'Report,making it difficult to determine if all of the conditions supporting\n         controlweakllesses have been considered and are addressed in the MAPs. In certain instances,\n\n\n\n                                                      7\n\x0c         the conditions described in the "Issue Description" section ,of the three MAPs do not clearly\n         articulate the conditions and the severity of such conditions and how they impact the ability of\n         management to support its financial reporting assertions. If the issues are not accurately\n         described, USCGrisks not being able to conduct comprehensive root cause analysis and develop\n         effective MAPs.\n\nDevelopment\nOur observations and comments related to the development criteria of the USCG MAPs are consistent\nacross each of three MAPs -FBwT, Entity-level controls, and IT Integration. We noted that:\n    \xe2\x80\xa2\t   The MAPs lack specificity - The MAPs include general steps such as, "conduct analysis of IPAC\n         and other significant Classes of transactions," "Develop and promulgate operational objectives for\n         internal control," "develop and implement standardized \'payment confirmation process," and\n         "Implement monitoringlenforcementbased on process/procedures defined," which are broad\n         objectives, and usually not measurable.\n    \xe2\x80\xa2\t The current MAP milestones are not linked directly to the financial statement assertions affected\n       by the control weaknesses. As a result, the succ.essful completion of the milestones may not fully\n       address the appropriate financial assertions and achieve the desired result of correcting the\n       existing internal control deficiencies.\n    \xe2\x80\xa2\t   Some MAPs defer the development of the detailed MAP project plan and milestones. For\n         example, the Entity-level control MAP includes a task to \'\'\'develop detailed project plan &\n         resourcing assessment to conduct workforce analysis on financial management organizational and\n         internal ccmtrol strategy, structure,and processes" by September 1,2008.\n\nAccountability\nOur observations and comments related to the accountability criteria of the USCG MAPs are consistent\nacross each of three MAPs - FBwT, Entity-level controls, and IT Integration. The USCG properly\nidentifies a responsible party for theMAPs,and the USCG designee in-charge of each MAP. As such,\naccountability for the MAP implementation is specified.\nThe USCG is currently evaluating its human and otherresource necessary to implement the MAPs. The\nMAPs and. the draft FSTAR SOP state, "no funding willbe applied to a task without a vetted, approved\nproject plan" however, project plans have not been developed or completed, In accordance with its\npolicy, the MAP will need to be approved before funding is provided and resources acquired. Delaysin\nfinalization of the plan and acquisition of resources could affect the timely completion ofplanned actions\nin FY2008.\n\n Verification and Validation\n.Our observations and comments related to the, verification and validation criteria of the USCG MAPs are\n consistent across each ofthree MAPs - FBwT, Entity-level controls, and ITIntegration. We noted that:\n    \xe2\x80\xa2\t   Some key milestones in the MAPs contain steps that are not measurable or designed with\n         incremental objectives. USCG has identified various critical milestones within each of the three\n         MAPs, however they are often defiged without a degree of specificity that would allow\n         measurement. For example, we noted many milestones are achieved through confirmation of\n         progress frorn the task owner. Confirmation of milestone completion is not a feasible\n         measurement method,\' as achievement of a critical\' milestone should be measured using concrete\n         evidence demonstrating, that, the task is complete. , The difficulty in implementing, a feasible\n         measurement method for all, critical\' rnilestonescould stem from the lack of detailed, actionable\n         steps.\n\n\n\n\n                                                     8\n\x0c   \xe2\x80\xa2\t   Many milestones are based on passage of time. Per the MAP Guide, "In the event that a MAP has\n        a gap between any milestones (including the initial and final milestones} greater than or equal to 2\n        months, the Component must include interim milestones for that timeframe to ensure quarterly\n        progress and results can be determined."\n   \xe2\x80\xa2\t   While a contractor has drafted and provided to USCG for review, a set of operating procedures to\n        monitor the progress of the MAP, the USCG has not adopted a comprehensive verification and\n        validation plan to monitor the progress of the MAP. In addition, USCG has not implemented a\n        mechanism to monitor its progress in meeting MAP milestones.\n\nRecommendations\nWe recommend thatthe USCG perform the following to address our findings.\n   1.\t Review each MAP, complete a thorough root cause analysis.            When finished, the root cause\n       analysis should:\n            a.\t Identify the problem causing the internal control weakness, including how it occurred,\n                when, and why. Current policies and procedures, human resources, and how IT systems\n                affect the conditions should be considered;\n            b.\t Identify and show consideration of all significant interdependencies, with overlapping\n                processes and other MAP\'s. Perform process/sub~processanalysis at a detailed activity\n                ortransaction level to identify all control and process deficiencies. This analysis should\n                include a walkthrough or "test drive" of the. activity/process flow with actual data or\n                transactions. This facilitate enable the USCG\'s ability to develop comprehensive MAPs\n                that include potential interrelationships between processes or other MAPs;\n            c.\t Be prioritized for correction,. to minimize duplication of effort where corrective actions\n                overlap (I.e., correction of IT system posting logic errors may resolve lllultiple issues, or\n                mitigate the need for process changes); and\n            d.\t Be documented with sufficient level of detail to provide an adequate understanding of\n                control and process deficiencies, how the deficiencies affect the financial reporting\n                assertions,laws and regulations, and accounting standards, and enable a MAP user to\n                prioritize the conditions based on their severity. Maintain documentation supporting the\n                analysis for management review, OMB CircularA-123 cross-reference and external\n                auditor review.\n   2.\t Modify the MAPs based on the analysis performed in #1 above. Each MAP should include\n       specific corrective actions,. avoiding general steps. Link or. cross-reference the conditions\n       identified in the issue description sections of the USCG MAPs to the material weakness\n       conditions identified in the FY 2007 Independent Auditors\' Report, to ensure reconcile the\n       conditions identified in the FY 2007 Independent Auditors\' Report to actions in the MAPs.\n       Matrix the MAPs to the specific financial statement assertions that are affected by the control\n       weaknesses being identified to ensure coverage of all key management assertions.\n   3.\t Each MAP should include incremental milestones that are attainable, measurable, and verifiable,\n       at an appropriate level of detail to enable independent analysis of a MAP\'s effectiveness in\n       remediatingroot causes and provide MAP users with insight on the status orthe MAP\'s\n       implementation. Ensure that MAP milestones and implementation schedules are realistic given\n       USCG funding constraints. Avoid usingmilestones that are met simply by passageoftime.\n   4.\t Develop acomprehensivepla.n for verification and validation of MAP results that can be us~d to\n       monitor and report results. Link the verification procedures to the OMB Circular A"123\n       initiatives of the Department. Ensure that the objective of the verification and validation process\n\n\n\n\n                                                     9\n\x0c       as described in the .draft FSTAR SOP is to determine whether the remediation action was\n       successful in supporting the relevant financial reporting assertions and/or compliance with laws\n       andregulations and accounting standards;\n   5.\t Include the development ofan "end state" model for each definedprocess, including taking future\n       Department systems baseline and support for financial reporting assertions, laws and regulations,\n       and accounting standards into consideration.. The end state model should account for the entire\n       business process or life cycle from initiation through to completion (e.g. often\'the recording and\n       reporting activities in a trans~ctional process). Then compare the current processes with the\n       identified control and process deficiencies and root causes to the end state model to develop\n       specific, actionable and measurable projectplan steps linked to supporting the financial reporting\n       assertions and complying with laws and regulations and accounting standards.\n   6.\t Ensure that the USCG MAP owners have the support necessary to successfully implement the\n       MAPs.\n\nMANAGEMENT RESPONSE TO OUR REPORT\n\nManagement has prepared an officialresponsepresented as a separate attachment to this report.\nIn sutnmary, management agreed with our findings and its comments were responsive to our\nrecommendations. We did not audit management\'s response and, accordingly, we express no\nopinion on it.\n\n\n\n\n                                                  10\n\n\x0cKEY DOCUMENTS AND DEFINITIONS\n\nThis section provides key definitions and documents for the purposes of this report.\n\nTheFederal Managers\' FinanciallntegrityAct (FMFrA) requires that Executive Branch Federal agencies\nestablish and maintain an effective internal control environment accordingto the standards prescribed by\nthe Comptroller General and specified in the Government Accountability Office\'s (GAO) Standardsfor\nInternal Control in the Federal Government. In addition, it requires that the heads of agencies to\nanmIally evaluate and report on the effectiveness of the internal control and financial management\nsystems.\n\nGAO\'s Standards forlnternal Control in the Federal Government(Standards) defines internal control as\nan integral component of an organization\'s management that provides reasonable assurance of:\neffectiveness and efficiency of operations, reliability of financial reporting, and compliance with\napplicable laws and regulations.\n\nThe Department arHomeland Security Financial AccountabilitvAct (the DRS FAA) designates the\nDepartment\'sChief Financial Officer (CFO), under the authority of the Secretary, as the party responsible\nfor the design and implementation of Department-wide internal controls. Furthermore, the DRS FAA\nrequires that a management\'s. assertion and an audit opinion of the internal controls over financial\nreporting be included in the Department\'s anllual Pelformance and Accountability Report.\n\nOffice of Management and Budget(OMB) Circular No. A-123, Management\'s Responsibility for\nInternal Control. provides guidance on internal controls and requires agencies and Federal managers to\n1) develop and implement management controls; 2) assess the adequacy of management controls;\n3) identify\' needed improvements; 4) take cqrrespondingcorrective. action; and 5) report . annually on\nmanagement controls. The successful implementation of these requirements facilitates compliance with\nboth FMFIAand the DRS FAA.\n\nOffice of. Management and Budget COMB) Circular No.. A-127, Financial Management Systems,\nprescribes policies and standards for executive departments and agencies to follow in developing,\noperating, evaluating, and reporting on financial management systems. The successful implementation\nof these requirements facilitates compliance with both FMFIAand the DRS FAA.\n\nInternal Control Deficiencies - AcontroLdeficiency exists when the design or operation of a control\ndoes not allow. management or employees, in the normal course ofperfonning their assigned functions,\nto prevent or detectmisstatements ona timely basis. A significant deficiency is a control deficiencY,or\ncombination of control deficiencies, that adversely affects DRS" ability to initiate, authorize, record,\nprocess, or report financial data reliably in accordance with U.S. generally accepted accounting\nprinciples such that there is more than a remote likelihood that a misstatement of DRS\' financial\nstatements thatismotethan inconsequential will not be prevented ordetectedby DRS\' i,nternal control\nover financial reporting. Amaterial weakn,ess is a significant deficiency, orcombiilation of significant\ndeficiencies, .that results in more thana remote \xe2\x80\xa2likelihood that a material misstatement of the financial\nstatements will not be prevented or detected by DRS\' internal control.\n\nManagement Directive (MD) 1030, CarrectiveAction Plans, establishes \'the "Department\'s vision and\ndirection on the roles, and responsibilities for developing, maintaining,. reporting,. and monitoring MAPs\nspecific to the DHS Financial Accountability Act, FMFlA, and related OMB guidan,ce." In additionto the\nroles and responsibilities,MDl030 outlines the policies and procedures related to the MAP process. The\n\n\n\n\n                                                    11\n\n\x0corganizational structure detailed m MD 1030 encompasses employees at both the component and\ndepartment levels.\n\nThe Internal Controls Over Financial Reporting (lCOFRI PlaybookCICOFR Playbook) was developed\nby theOCFO, Internal Control Program Management Office, to assist the Department in meeting the\nfinancial accountability requirements outlined in the DHS FAA. The ICOFR Playbook outlines the\nDepartment\'s "strategy and process to resolve materialweaknesses and build management assurances."\nOn an annual basis, the ICOFR Playbook is updated by th~ OCFO to enhance its exitingguidance, as\nnecessary, and establish milestones, which will be monitored by the OCFO throughout the year. A\ncomponent of the ICOFR Playbook is MAPs developed by the Department and its components to correct\ninternal control deficiencies.\n\nThe Mission Action Plan Guide. Financial Management FocusAreasFiscal Year 2008 (MAP Guide}\noutlines the policies and procedures to be used to develop MAPs throughout DHS,pursuant to the roles\nand responsibilities established by the DRS Management Directiv\'e(MD) 1030, Corrective Action Plans.\nThe MAP Guide applies to all Department Components and Offices (e.g.,OFM) where a control\ndeficiency has been identified.. Note non-conformances related to the Federal Information Security\nManagement Act (FISMA), are under the purview\xc2\xb7 of the\xc2\xb7 Department\'s Chief Information Security\nOfficer\'s Plan ofAction and Milestones (POA&M) Process Guide.\n\nElectronic. Program. Management Office (ePMO) is a Web-based software application the OCFO\ndeployed to manage the collection and reporting ofMAP information.\n\nMission Action Plans (MAPs), as defined in the MAP Guide, are documents prepared to facilitate the\nremediation of internal control deficiencies identified by. management or by external parties. MAP\ndocumentation,. as described in detail in the MAP Guide,. inclUdes a MAP Sutnmary Report and a MAP\nDetailed Report that are required to be subniitted to the OCFO throughePMO. Below are brief\ndescriptions ofthe MAP Summary and MAP Detailed Reports, based on the ePMO MAP Reports Quick\nGuide contained in the MAP Guide:                                                       .\n\n   \xe2\x80\xa2\t   TheMAP Summary Report contains sections to describe the issue (e.g. internal control deficiency\n        conditions), results of the root cause analysis performed, relevant financial statement assertions\n        affected by the issue,key strategies and performance measures, resources required, an analysis of\n        the risks and impediments as seen by management, verification and validation methods, and the\n        critical milestones. to be. achieved.\n   \xe2\x80\xa2    The MAP Detailed Report provides additional data on the milestones, not only on those identified\n        as critical but also those sub-milestones under a critical milestone. For each milestone (critical or\n        sub), the following data is reflected: due date, percentage of completion, status (e.g., Not Started,\n        Work in Progress and Completed), and the responsible and assigned parties.\n\nThe Department\'s Annual Financial Report (DHS AFR) was issued onNovember 15, 2007 and consists\nof the Secretary\'s Message, Management\'s Discussion andAnalysis, Financial Statements and Notes,an\nIndependent Auditors\' Report, Major Management Challenges, and otherrequired information. The AFR\nwas prepared pursuant to OMB Circular No. A-136, Financial Reporting Requirements.               .\n\n\n\n\n                                                     12\n\x0c\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2 ,-,   ,   ,.... \xe2\x80\xa2\xe2\x80\xa2   \xe2\x80\xa2    \xe2\x80\xa2 \xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2 ~~ \xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2 ~ \xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2 ~   l.~ ,_   .\n\n\n\n\n                             U~S.Departmlimto~f\n                                            \xe2\x80\xa2                                          .    Commandant\t\n                                                                                            United States Coast GUard\n                                                                                                                            2100 Se<:ondStreet,$.W.\n                                                                                                                            Wallhfngt(ll\'\\,OC2QS9a.0001\n                             H.OlllO.I.J.O.d. $!I".IlIy. . . . \xe2\x80\xa2 .\xe2\x80\xa2. . .\xe2\x80\xa2. .\xe2\x80\xa2.\xe2\x80\xa2        \xc2\xb7\t                                   staff Symbol:C;G-S5\n                             Unlt$d St.ate.                            ..       ...\t                                        Phone: (202)\xc2\xb7 372\xc2\xb7:m7\n                             CoastGuard                                     .                                               Elmall; I$kundayo.G.Faux@lJSeg.mll\n\n\n                                                                                                                            7000\n\n                                                                                                                                MAY I\' 2008\n                             MEM~c:UM                                                                                                                            I\n\n                             From:\t RD,ML I<.eith Taylor                                                         Reply to    CO..85                              I\n                                    Assistant\xc2\xb7Commandant f01\' Resources                                          Attn of:    CAPTE.a.Faux\n                                    and Chief FinMcialOfflcer\n                                    U. S, Coast Guard (USCG)\n                                                                                                                             (202) 372~3717                      i\n                             To:\t   Anne L. Richards\n                                    AssistMt Inspector General for Audits\n                                    Department ofHomeland Security (DHS)\n                                                                                                                                                                 I\n\n                                                                                                                                                                 I\n\n                                                                                                                                                                 i\n                             SUbj:\t                       MANAGEMENT RESPONSE TO DRAFT PERFORMANCE AUDIT REPORT ON\n                                                          USCG FY 2008 MISSIONACTION PLANS\t             .\n                             1.. Thank YQufor theopportunity to provide comment on thedraftperformanceauditteport\n                             pertaining to the U. S.Coast.Guard\'s FY\xc2\xb7 2008 Mission.Action Plans (MAPs). While.in.general\n                             the CQastGu~dconcurs with thefmdings andreconnnendations contailled inthe report, it\n                             important to note that these MAPs were prepared using the follOWing $tepsprovided in.DHS\n                             guidance: iclentify control deficiencies, conduct root cause analysis, identify root cause based\n                             actions, develop milestones and tasks, and approve the MAP.\n\n                             2. To iml\'toy~ the process and expectedresultstheServicehastaken several positive steps over\n                             the past three months .to. address the issues identified in the audit. With the.Coast Guard\n                             FinancialStrategy for TransfonnationMd Audit Readiness (FSTAR) pubUshedin March 2007\n                             as our basis and in alignmetlt with thefmdingsoftheaudit, the Coast Guardisretining its\n                             approaCh for financial\xc2\xb7audit readiness to betterartieulate the critical path between our current\n                             audit remediation efforts\xc2\xb7and making financial statement assertions. The following steps provide\n                             thenecessarystt\'Uctuteandrequitements toreflnethen1ulti\xc2\xb7year audit\xc2\xb7readiness strategy.\n                             SpeQifically,theapproach identifies the Coast Guard\'s need to:\n\n                                        a, .map.(manci\'li.statement captions, line\xc2\xb7 item.balances,.assertions, and.footnote. disclosures\n                                        to\xc2\xb7key business processes and to the financial and mixed systems through which the                                .\n                                        transactions flow;\n\n                                        b.ldentityassessable units and known wem<oesses and gaps in data quality and process\n                                        documentation;\n\n                                        c.. conduot a risk assessment of each assessable unit based on quantitative and qualitative\n                                        factors. including.sign.ificance\xc2\xb7of interdependencies within\xc2\xb7the \xc2\xb7MAPs,.todetermine the\n                                        prlorities for executing rernedlation anclbuHding assertions;\n\n                                         d.. sumrnatizethecurrentstateoftheinternalcontrordocun1entation,weilknesses, and\n                                         accountbalance information; tnestatusof the desisnand implementatlonofprocess controls;\n\x0c                                                                                             ..   ~\n   -\n Subj: MANAGEMENT RESPONSE TOTl-IE.DRAFTPERFORMANCE.                                      7000\n AUDIT REPOa! ON USCOFY 2008 MISSION ACTION PLANS\n\n\n   the accuracy and yalidityof beginning balances; and the vetificationand validation\n\n   completion;\n\n\n   e.identify entity level controls, resource needs and preliminary timelines, as well as rertne\n   strategies, revise MAPs,and revise/develop detailed project plans; and .                                I\n   f. revise the FSTAR as appropriate to reflect revised project management structure and\n\n   revised\xc2\xb7management control program guidance.\n\n\n3. The Vice Commandant ofthe Coast Guard chartered the Audit Readiness Planning Team\n                                                                                                           I\n(ARPT) to implement this next phase inouron~going efforts. Consisting ofeoast Guard, DRS,\nand contract accounting and resource management professionals, the ARPT will develop the\nrevisedmulti-year entity-wide strategy to achieve financial statement audit readiness. The\n                                                                                                           I\nARPT is scheduled toconclude\xc2\xb7its\xc2\xb7effort by the end\xc2\xb7ofAugust 2008.                                          I\n4. Coincidental to theperfortnanceaudit, the CoastGuard implemented the revised FSTAR\nStandard Operating Procedures (SOP). The revised SOP describeslhe enhanced management\nstl\'lJctureand the roles and tespopsibilitjes ofMAP development\xc2\xb7and monitoring requited of\nprocess ownerscriticaltoaudit remediation efforts,. inclUding the verification and validation\nsteps required to support identification and closure ofcontrol gaps.\n\n5. The Coast Ouardcontinues to invest cJttensive effort in aUclit remecli~tion. The abOVe actions\ncleadyaddresslhe report\'sreconunendationsandwill helpto strengthen. ongoingCoast Guard\naudinemediationpractices. Ifyou have any questions concerning this response please contact\nme, or your staffmay contact CAPT Ekulldayo Faux, Chief, Office of Financial Transformation\nand Compliance, at 202~372 ..3717.\n                                                #\n\n\n\n\n                                                                 ,\n                                                                 \\\n\n\n\n\n                                                2\n\x0cReport Distribution\n\n\nDepartment of Homeland Security\n\nSecretary\nDeputy Secretary\nChief of Staff\nDeputy Chief of Staff\nGeneral Counsel\nExecutive Secretary\nUnder Secretary for Management\nAssistant Secretary for Policy\nAssistant Secretary for Public Affairs\nAssistant Secretary for Legislative Affairs\nChief Financial Officer\nChief Information Officer\nChief Privacy Officer\nDHS GAO/OIG Audit Liaison\nCommandant\nCoast Guard Chief Financial Officer\nCoast Guard OIG Audit Liaison\n\nOffice of Management and Budget\n\nChief, Homeland Security Branch\nDHS OIG Budget Examiner\n\nCongress\n\nCongressional Oversight and Appropriation Committees, as appropriate\n\x0c                                                \'.\'\n\n\n\n\nAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Office of Inspector General\n(OIG) at (202) 254-4199, fax your request to (202) 254-4305, or visit the OIG web\nsite at www.dhs.gov/oig.                          .\n\n\nOIG Hotline\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of\ncriminal or noncriminal misconduct relative to department programs or\noperations:\n\n    \xe2\x80\xa2    Call our Hotline at 1-800-323-8603;\n    \xe2\x80\xa2    Fax the complaint directly to us at (202) 254-4292;\n    \xe2\x80\xa2    Email us at DHSOIGHOTLINE@dhs.gov; or\n    \xe2\x80\xa2\t   Write to us at:\n           DHS Office of Inspector GenerallMAIL STOP 2600, Attention:\n           Office of Investigations - Hotline, 245 Murray Drive, SW, Building 410,\n           Washington, DC 20528.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'